Greetings:
Well, I don't know about your first question, but I asked something
similar to your second question a while back. You can specify
multiple ossec servers in your client config. If you do so, the
agents communicate with them in the order you specify. If the first
server goes down, the agent will communicate with the second server.
If the second server goes down, the agents will switch to the third
server and so on. That is:
<client>
<server-ip>10.11.12.1</server-ip>
<server-ip>10.11.12.2</server-ip>
<server-ip>10.11.12.3</server-ip>
</client>
For the server end, since 1.6 ossec has supported multiple servers.
See:
http://www.ossec.net/main/manual/manual-muti-server-architecture
--cryogen
On Jun 27, 2009, at 10:09 PM, macker wrote:
> Hey folks,
>
> I'm new to the list, im macker. Forgive me if these questions have
> been asked already, as I didn't see them after going though
> previous messages. I have also read an ossec book which was great,
> and still couldn't find the answer.
>
> I am rolling out ossec to a segment of my network (about 55
> servers). These are split between east/west coast and are
> redundant locations.
>
> 1) user accounts: ossec requires 3 seperate user accounts and 1
> group account. Due to my internal linux patch management system, it
> would be preferrable not to need 3 sperate user accounts. Is there
> a way to have it run as 1 user account, or is that lowering the
> security/segregation of duty, etc?
>
> 2) Is it possible to have redundant ossec central servers set up?
> Not sure how that would work since you would be sending logs to two
> seperate locations. Also, if were to move my one management station/
> central ossecd, to the other coast, culd I just copy the text file
> w/ the agent keys on it over, or are those keys based off some type
> of salt/encryption built specific the ossecd box.
>
> 3) Anyone have success/horror stories I should be aware about with
> this amount of servers? Perhaps helpful advice, lessons learned.
>
> Thanks,
> - macker
>
